IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Inbound Connection to an Unsecure Elasticsearch Node Installation of Custom Shim Databases »

› › ›

InstallUtil Process Making Network Connections

edit

InstallUtil Process Making Network Connections

edit

Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*

Severity: medium

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

/* the benefit of doing this as an eql sequence vs kql is this will
limit to alerting only on the first network connection */ sequence by
process.entity_id [process where event.type in ("start",
"process_started") and process.name : "installutil.exe"] [network
where process.name : "installutil.exe" and network.direction ==
"outgoing"]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: InstallUtil
- ID: T1118
- Reference URL: https://attack.mitre.org/techniques/T1118/

« Inbound Connection to an Unsecure Elasticsearch Node Installation of Custom Shim Databases »